octo | fbc82a2845b795977f98af922094399e93bca6549bc5fd905ac6b3c9a723a406 | Triage

Analysis

max time kernel
149s
max time network
152s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
11-11-2024 22:08

Sharing

Report Analysis Logs

General

Target

fbc82a2845b795977f98af922094399e93bca6549bc5fd905ac6b3c9a723a406.apk
Size

2.4MB
MD5

b7a5dea57583307782af8b0b373c9083
SHA1

a39c39d3198c443d1911189d55e077bb4562fb34
SHA256

fbc82a2845b795977f98af922094399e93bca6549bc5fd905ac6b3c9a723a406
SHA512

849081760147fc9d6fb533f45401bfb3098f6b0023a60c56a3f1fc6bc663e7564c1eb0a964e40ac9e99586b958f48dcd6a9f8bd6cdcee035b6544f4cb8ba7650
SSDEEP

49152:9svNvYu+XP3uWyZCIckqYvsW1fHBAj6eItgNmYE4XVV0ACkZsAKVfHBKNYvRs0:kmuePeWyM/khvsCfhAj6TtEi4z0TkaVb

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

C2

https://7bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

rc4.plain

Extracted

Family

octo

C2

https://7bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

pid	Process
4218	com.pressendta

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

Download New Code at Runtime

ioc	pid	Process
/data/user/0/com.pressendta/cache/cnkzsc	4218	com.pressendta
/data/user/0/com.pressendta/cache/cnkzsc	4218	com.pressendta

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

Screen Capture

Keylogging

GUI Input Capture

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.pressendta
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.pressendta

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.pressendta

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.pressendta

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

Prevent Application Removal

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.pressendta
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.pressendta
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.pressendta
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.pressendta

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

System Network Configuration Discovery

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.pressendta

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.pressendta

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

User Evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.pressendta

Requests modifying system settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.pressendta

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

Broadcast Receivers

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.pressendta

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Data Encrypted for Impact

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.pressendta

com.pressendta
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4218

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Hide Artifacts

Suppress Application Icon

User Evasion

Impair Defenses

Prevent Application Removal

Input Injection

Credential Access

Access Notifications

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Access Notifications

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.pressendta/cache/cnkzsc

Filesize
2.3MB

MD5
32e1e932a9c66ff01d4cf568abeac4ee

SHA1
c0b4657f6d653c324d5e0bfd04b50b45e01ab2c2

SHA256
c727a002aa7cfc58750e30dcc11d4eac288e18cf32fd3570d2f159cddefb91bb

SHA512
e25b005e2184fb77879ebfb160d42d0a5a78fecde4734727c4c889ef84ad44ba452a2285d449d03f8046f6f6160ec4b5598db919a020241a5629934738172843

Download Submit
/data/data/com.pressendta/cache/oat/cnkzsc.cur.prof

Filesize
517B

MD5
ecc7b4a6008dfdd8468c62e05d76b376

SHA1
a02b2a03f8d1f44543d7b58d052486d69738f3db

SHA256
1142a366e3d74afee1a20535cbd4c5d5aecfe74b995d78a9b7ac92aa6dc300a5

SHA512
9c1150269e93d14c3196bebd4af56884ca46f8bc01099549941f2c5994c25c32bd64509c6d3220b5bd5d3ab7bc45e9c65234eaeb97d451a090dd98f271bc9d6c

Download Submit